Messaging Server: Setting Up a No Phishing Zone

Experienced Messaging Server administrators know that dealing with spam is a high-priority job requiring constant attention as spammers evolve and refine their methods of attacks. Recently, many admins have noted the rise of phishing attacks, especially against (but not exclusively) webmail clients.

Long time Messaging Server admins have been exchanging ideas and collaborating on all aspects of Messaging Server, including anti-spam/anti-virus techniques, by using the Info-IMS@arnold.com forum. (In brief, this alias is the independent discussion forum for those interested in Messaging Server and all its permutations (Java Enterprise System, Sun ONE, iPlanet Messaging Server). If you are a Messaging Server administrator and haven't yet subscribed to this alias, we highly recommend that you do so, here.

An email thread from July 2008 highlighted the phishing problem, especially in the EDU space. Many ideas were suggested on how to combat this particular spam issue. You can view the full thread on this topic at the following URL:

http://lists.balius.com/pipermail/info-ims-archive/2008-July/029647.html

Following is a summary of anti-spam techniques to consider:

• Examine the sent folder to get the source IP of the submission then "null route" the IP address on the Webmail front ends.
• Configure MeterMaid, which shipped with Messaging Server 6.3. MeterMaid limits the number of messages a user can send in a number of minutes regardless of source (SMTP, Webmail). More info on configuring MeterMaid here.
• Use the ./imsconnutil -k -u uid command to disconnect the offending user account.
• Block the offending IP address at your firewall.
• Set the inetuserstatus attribute for the offending user to deleted, change the user's password, then clear the queue(s), though this technique is in response to an attack, rather than preventing or detecting the attack.
• Enable the Directory Server audit log. Monitor for changes to directory entries, such as signature files and reply-to addresses, by using a script and crontab to classify likely compromised accounts.
• Read about Sun's recommendation for how to deploy the Messaging Server MTA and anti-spam/anti-virus scanning systems: http://www.sun.com/bigadmin/sundocs/articles/preferred_deploy_mta.jsp
• Call out to MeterMaid from the FROM_ACCESS mapping table passing as data the user authentication, rather than (or perhaps in additon to) calling out to MeterMaid from PORT_ACCESS mapping table passing as data the source IP. This technique limits how many messages some (authenticated) user can submit.
• Use Postfix/Policyd. Then change the default smtphost of Webmail to use it.
• Use this list of list of these password phishing reply addresses: http://code.google.com/p/anti-phishing-email-reply/
• Implement scanning systems on both incoming and outgoing email.
• Use the http://www.senderbase.org/ database.